Wednesday, 15 May 2013

Join Debian Wheezy to Windows Active Directory Domain

While looking for something to keep me busy on a quiet day I decided to work out how to get Debian 7 authenticating against our Active Directory domain. I have been doing this for a few years with our Redhat/CentOS systems but we have a few Debian boxes for variety and as they are small/unimportant/just keep ticking over without issues getting them on the domain has never been a high priority. For Redhat there is a very good and thorough guide HERE which does an excellent job of explaining the options and how to setup various configurations. By contrast this guide is far more focused on a single scenario and nowhere near as detailed - but it should contain everything required to get a fresh Debian Wheezy (7) install authenticating users using Active Directory accounts as well as local accounts.

Other than authenticating against the Windows domain I also want to ensure that all domain users get the same UID/GID so that sharing files between systems is easier.

The first steps are to ensure that the time is correct on the servers and that DNS is working correctly.

# apt-get install ntp

edit /etc/netp.conf and set the server lines to point to the systems you want to use for time updates then restart ntp and check the current time is correct

# /etc/init.d/ntp restart
# date
Tue May 14 11:03:42 BST 2013

Check that the "hostname -f" command returns the correct fully qualified server host name. If not edit both /etc/hostname and /etc/hosts and then reboot. Also check that another host on your network can ping the machine by hostname and if not then fix your DNS server so it can.

Install samba and winbind:

# apt-get install samba smbclient samba-common winbind

Start smb service and set it to start up on boot from now on:

# /etc/init.d/samba start
# update-rc.d samba enable

Install Kerberos, backup the original config file and then replace with minimal setup

Now edit /etc/samba/smb.conf and make the following changes. If a variable is not in the config file then add it. ("domain logons = no" controls if this machine can authenticate users for other machines, not if domain users can logon here...):

Check that the wbinfo commands show users and groups from active directory. For some reason my Winbind shuts down when i join a domain so I get an error "Error looking up domain users" - starting winbind again seems to fix this and it has not died for me since. Hopefully you have now joined the domain and if you look on your domain controller you should see the computer on the domain. Next we need to setup authentication so you can log in using domain credentials.

Edit /etc/nsswitch.conf to add winbind for looking up passwords and groups

And check that domain users and groups are returned by the following commands:

# getent passwd
# getent group

Note that if you have a problem with these two getent commands not returning any domain level records check your smb.conf file for the idmap syntax - for some reason the version of the config file I received with samba had a different structure for the idmap line that stopped getent working. Entering it as shown above makes these two command work.

Finally set the system up to automatically create home folders for users when they first log on by adding the following two lines (if not already in the file).

You should now be able to log in to the system using a domain username/password combination and a home folder will be automatically created for you on first logon. If the backend=rid part is working then the user ID on each system should be the same for all users making it easier to share files between machines. you can check the UID with the "id" command which will show the user id (UID), group id (GID) and all the groups that the current user is a member of.

My next steps are to add a domain administrators group to the visudo permissions file to allow jumping to root when required and then to block root access by ssh.

Thank you for the documentation. It is concise and accurate. Two questions came up for me since I cut my teeth as a Windows admin and Debian admin is pretty new to me, so I thought I'd contribute here.

If you want to bless Domain Admins as sudoers, the line can be added through visudo as follows:

%domain\ admins ALL=(ALL:ALL) ALL

* The % symbol represents a group.* The word "domain" is literal. Don't substitute your domain name.* We've already specified that groupname lookup should include domain groups, via referencing winbind in nsswitch.conf.* The backslash+space is just a space but it has to be approached with the backslash as an escape character.

Great tutorial, worked perfectly on every debian system I have.The only thing I changed, in my case, is in the umask applied on homedir creation.. I would recommend to use umask=0077 for security and privacy reason.Thanks a lot for you work.

Thanks for the comments Anon! don't forget that you need to block more than just those 2 shells (look in /etc/shells for a full list) and that things like vi can execute shell commands as root even if blocked by sudo.

I was not aware of the way to restrict logins to a group of users though - that will come in handy. Previously I've used active directory itself to set which users are allowed to login to a host but this would be a lot quicker for a one off change.

Hello,Thanks for this tutorial, but I stuck on editing "common-session" file.Do I need to add these two lines in this file or replace some other setting?

My default "common-session" file:# here are the per-package modules (the "Primary" block)session [default=1] pam_permit.so# here's the fallback if no module succeedssession requisite pam_deny.so# prime the stack with a positive return value if there isn't one already;# this avoids us returning an error just because nothing sets a success code# since the modules above will each just jump aroundsession required pam_permit.so# and here are more per-package modules (the "Additional" block)session optional pam_krb5.so minimum_uid=1000session required pam_unix.so session optional pam_systemd.so

Hi, I could have been clearer there... You need to add the two lines to the file - however you already have "session required pam_unix.so" so I would just put the pam_mkhomedir.so line underneath so the end of your file looks like this:

First thank you for you tutorial. On my hand it work fine until the line:# net join -S dc -U administratorafter entering the administrator password I got the following error message:Failed to join domain: failed to join domain 'XXX.YYYY' over rpc: NT_STATUS_NOT_SUPPORTED

I have tried several times and one time a second message came up:ADS join did not work, falling back to RPC...

I have been searching on the web for hours without any improvement.Any help would be greatly appreciated!

The correct name can be your tool for widening your business horizon. The possible customers can access the products you sell and the services you provide with the correct domain address that you will have. Creative Company Names

Changing your domain name once your site is well-established can turn out to be a very costly venture, so the solution is to select the correct domain name right from the get-go. Namecheap dedicated server coupon

Buying a domain name and paying month to month for web facilitating does not need to use up every last cent. You can pay a ton of cash or you can really pay less and still get a strong item. Have some good times!Domain Name

I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. COMPUTER Folder Lock App - Don't Waste Time Looking for, Read through Information On COMPUTER Devices Here password protect folder on portable drive

Watch IPL 2018 here. Check IPL live Score at crickspo.com. Watch IPL live? IPL Live stream available here for free. Watch IPL Final or check IPL Final Live Score or IPL Final Live Stream.https://www.crickspo.com

I feel so fortunate to come to your blog to be a new member on your blog it’s superb for me I generally get such huge numbers of new thing over your blog. I hope I will get more valuable knowledge in your blogs iqos store online.

I enjoyed over read your blog post. Your blog has nice information, I got good ideas from this amazing blog. I am always searching like this type blog post. I hope I will see again. Watch Hindi movies online.